PHP Script Redirection Issue Due to InfinityFree Security System

beemybold · April 20, 2024, 8:08pm

Website URL

https://dbiblio.rf.gd

Error Message

cart.js:123 SyntaxError: Unexpected token ‘<’, "<!doctype "… is not valid JSON
at JSON.parse ()
at xhr.onload (cart.js:110:39)
cart.js:122 Failed to parse JSON: <!doctype html>

Other Information

I’m encountering an issue with my PHP script on my website hosted on InfinityFree. When attempting to retrieve product details from my products table of my database using a PHP script, the response is unexpectedly redirected to another URL, preventing me from obtaining the JSON format of the product details as intended.

Apparently this redirection is caused by InfinityFree’s security system, which enforces restrictions on certain types of requests and clients. But, this security measure is causing my PHP script to fail when accessed through certain clients for the purpose of interacting with your (MySQL) database.

I’m reaching out to the community to see if there are any workarounds or solutions that could allow me to retrieve the product details using my PHP script without encountering the redirection issue.

Thank you in advance for your assistance and insights.

Greenreader9 · April 20, 2024, 9:15pm

Your post is pretty vague, but you see, to be describing this issue:

What URL? What code is managing the response? How are you creating the request?

Oxy · April 21, 2024, 7:03am

There are other problems like encoding/charset

and using shell_exec() (All PHP Shell commands are disabled on this hosting for security)

Admin · April 21, 2024, 8:12am

I had a look at your website, and I’m not sure that the errors you’re seeing are a hosting issue.

As you can see, the error message says that Javascript is unable to parse text as JSON. However, when I check the Network tab in my browser, I don’t see any requests that actually return JSON.

The update_cart.php endpoint just returns the text Cart data updated successfully, which is not valid JSON. And the get_product_details.php endpoint doesn’t return anything at all (which is also not valid JSON).

Which clients are that? Using this code from your website hosted with us should just work. But hosting the frontend on another domain, or even on your own computer for development, will not work.

This is a little bit restrictive, but I don’t see any reason why your shop cannot work on our hosting for your customers.

Usually this is caused by not configuring a MySQL charset in your code, after having entered the database contents through phpMyAdmin.

chiucs123 · April 21, 2024, 8:29am

Hi beemybold,

Your website is attempting to fetch a JSON response from the host, but since your website is WordPress, if it cannot process a response due to errors like disabled functions, it will return HTML instead. When this HTML response is decoded as JSON, the characters aren’t as expected and you get decode/parsing errors.

Check your website code to see if there are such functions besides this one

Cheers!

beemybold · April 21, 2024, 7:04pm

When making a request to the get_product_details.php script on my website hosted on InfinityFree, the response contains a JavaScript script (which I provided earlier) that redirects the browser to the following URL:(https://dbiblio.rf.gd/get_product_details.php?productId=BCk2hm-1711682545&i=1)].

Here’s a simplified version of the PHP script I’m using to handle the request:

phpCopy code

<?php

// include database connection

if (isset($_GET['productId']) || isset($_GET['product_id'])) {
    $productId = isset($_GET['productId']) ? mysqli_real_escape_string($conn, $_GET['productId']) : mysqli_real_escape_string($conn, $_GET['product_id']);

    //  query to fetch the product data
    $select_query = "SELECT * FROM `products` WHERE `product_id` = '$productId'";
    $result_query = mysqli_query($conn, $select_query);

    if ($result_query) {
        if ($row_data = mysqli_fetch_assoc($result_query)) {
            // Add additional properties to the $row_data array
            $row_data['coverImageUrl'] = 'admin_area/book_cover/' . $row_data['product_cover'];
            $row_data['product_stars'] = $row_data['product_rate']; // Assuming your rating is stored in product_rate

            // Output the response as JSON
            header('Content-Type: application/json');
            echo json_encode($row_data);
            exit();
        } else {
            // Handle case when product is not found
            header('Content-Type: application/json');
            echo json_encode(['error' => 'Product not found']);
            exit();
        }
    } else {
        // Handle error when fetching product details from database
        header('Content-Type: application/json');
        echo json_encode(['error' => 'Unable to fetch product details']);
        exit();
    }
} else {
    // Handle missing productId parameter
    header('Content-Type: application/json');
    echo json_encode(['error' => 'Product ID not provided']);
    exit();
}

In my local environment, this request return a response like this:
{
“product_id”: “unique iD”,
“product_title”: “string”,
“product_price”: “float”,
“coverImageUrl”: “filename.png”,
}

As for how I’m creating the request, I’m simply accessing the get_product_details.php script through a web browser or using tools like cURL. The issue occurs consistently regardless of the method used to make the request.

I hope this additional information helps clarify the situation. If there are any further details needed, please let me know. Thank you for your assistance.

beemybold · April 21, 2024, 7:26pm

Thank for bringing that up.

Regarding the encoding problem, it’s weird because it’s not happening in my local setup, so I’m guessing it might be something to do with the hosting setup. Any tips on how to fix that?

As for shell_exec(), I’m scratching my head because I haven’t used that function anywhere in my checkout.php page. Could it be a hiccup on InfinityFree’s end, or am I missing something?

If you could shed some light on these issues, that’d be awesome.

Frank419 · April 22, 2024, 10:15am

Read again

In short, even if you think you are “simply accessing your website with cURL”, it won’t work. This is the intended behaviour.

Those requests can only work with Javascript AJAX in the same website, not somewhere outside of your website.

Admin · April 22, 2024, 6:05pm

A server “hiccup” can’t make code appear out of nowhere.

All of the code returns hard coded values, except for one:

            // Output the response as JSON
            header('Content-Type: application/json');
            echo json_encode($row_data);
            exit();

Given that the page returns empty, apparently the echo json_encode(...) line returns empty.

If we look at the documentation of json_encode, we see that it will return false if the data cannot be converted to JSON, and if you do echo false;, you will see nothing.

We established before that you have character encoding issues with your database connection. And the PHP docs for json_encode say that:

All string data must be UTF-8 encoded.

And we’ve already seen on your web page that this is not the case.

So I think that if you fix the character encoding encoding issue with your database connection, the JSON endpoints will work too.

beemybold · April 26, 2024, 5:01pm

Website URL

https://dbiblio.rf.gd/

Error Message

Other Information

I created a MySQL database on https://cpanel.infinityfree.com/ for my website but I’m encountering encoding issues because the text with special characters are not being rendered properly. I tweaked the table’s collation between utf8mb4_unicode_520_ci, utf8mb4_unicode_ci and utf8mb4_general_ci but nothing has changed. I don’t have this issues on my localhost.

How can I fix it?

chiucs123 · April 27, 2024, 6:51am

Hi beemybold,

This is expected behavior due to the security system on IF, if you attempt to use non-browser tools like CURL or Postman, it won’t work. The i=1 appended query parameter shows this behavior.

To correctly test your page, you should use a browser as your page is expecting a GET request anyways. Your browser can understand the security system and will redirect to your ajax request without issues. What matters here is that your page can produce a result that works out a json response instead of an HTML.

I’ve revised your code as follows for better debugging insights and easier reading:

<?php

header('content-Type: application/json; charset="utf-8"');

if(!array_key_exists('productId', $_GET)){
    echo json_encode([
        'error' => 'Product ID is missing.',
    ]);
    exit(400);
}

$product_id = trim($_GET['$product_id']);
if(empty($product_id)){
    echo json_encode([
        'error' => 'Product ID is empty.',
    ]);
    exit(400);
}

if(!!!preg_match('/^[a-zA-Z0-9\-]$/', $product_id)){
    echo json_encode([
        'error' => 'Product ID is invalid.',
    ]);
    exit(400);
}

$query = sprintf('SELECT * FROM `products` WHERE `product_id` = "%s"', mysqli_real_escape_string($conn, $product_id));
$result = mysqli_query($conn, $query);
if (!$result) {
    echo json_encode([
        'error' => 'Product ID is not found.',
    ]);
    exit(404);
}

$data = mysqli_fetch_assoc($result);
if(sizeof($data) === 0){
    echo json_encode([
        'error' => 'Product ID is not found.',
    ]);
    exit(404);
}

$data['coverImageUrl'] = 'path_to_default_image';
if(array_key_exists('product_cover', $data) && !empty($data['$product_cover'])){
    // make an attempt to check if the file exists here
    $data['coverImageUrl'] = sprintf('admin_area/book_cover/%s', $data['product_cover']);
}

$data['product_stars'] = intval($data['product_rate']);
echo json_encode($data);
exit(200);

Meanwhile, there’s one more encoding that will involve in your website display - your code’s encoding. Even if you set the meta charset to UTF-8, if the file itself is not then things will still go south. To change that, use Notepad++ and change the file encoding to UTF-8 (without the DOM).

Also mysqli_real_escape_string is no longer considered secure, and you should seek solutions like PDO, or use framework query methods.

P.S. I’ve read another post on this forum saying that websites that have been mentioned here was DDoSed, and I also find yours suspended due to hit limits, you might want to reach out to support for solution on that one to continue solving the matter here.

Cheers!

Admin · April 27, 2024, 8:43am

You need to set the database charset on the database connection in your PHP code. phpMyAdmin uses utf8 by default, but PHP uses latin1. So data created through phpMyAdmin will end up garbled on your website and vice versa. The charset and collation in your database doesn’t really matter for this.

For MySQLi: PHP: mysqli::set_charset - Manual
For PDO: PHP: PDO_MYSQL DSN - Manual

system · May 4, 2024, 8:44am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.